[OpenID] pbwiki encounters (i.e. wiki.openid.net encounters)

David Recordon drecordon at sixapart.com
Mon Dec 29 04:42:34 UTC 2008 

Hey Peter,
Thanks for putting together this list.  Chris and I will followup with  
the PBWiki team and see how much of this stuff we can get fixed.

--David

On Dec 24, 2008, at 12:50 PM, Peter Williams wrote:

>
>
> 1.       The PBwiki service continues to cause me major grief when  
> handing off to myopenid (anyone else see this!!?? Why just me!?) It  
> sends bad messages to the OP, about 90% of the time. There is no  
> recovery possibility. Sometimes it works, though, if you fiddle like  
> a programmer (*)
>
> 2.       Be cute if their nice, new commenting feature (which  
> accepts a URI) was openid enabled. Be much better experience than  
> forcing members to type in name and an email. http://blog.pbwiki.com/2008/12/19/new-feature-now-readers-can-comment-on-wiki-pages/
>
> 3.       There are some basic security flaws in the  hosting model  
> (when augmented with openid). The challenge delivered at the OP asks  
> for release authority to my.pbwiki.com SP, which does not align with  
> the fact that the previous page text (and the address bar) was  
> making be believe I’m talking to wiki.openid.net.
>
> 4.      The OP reports: You must sign in to authenticate to http://my.pbwiki.com/ 
>  as http://homepw.myopenid.com/ . This is not what I asked for: I  
> asked for identity verification of https://homepw.myopenid.com/. The  
> handoff to the OP does seem to be over https though. I cannot tell  
> if this is OP issue, SP issue, or the nature of OpenID Auth  
> procedures.
>
> 5.       There are some basic security flaws in the  hosting model  
> (when augmented with SSL). The foundation should buy its own cert,  
> and let Pbwiki do proper SSL virtual hosting. This doesn’t solve 3  
> though, which is rather more serious. They need to virtualize their  
> openid SP realms - to match the wiki virtual hosting domains. They  
> need to ensure the right hosted cert is used per openid (hosted)  
> realm, and its reflected in the XRDS (see 8).
>
> 6.       Prior to the OP handoff, IE generates warnings about mixed  
> content from multiple assurance zones.
>
> 7.       On releasing the assertion to my.pbwiki.com, the url is https://my.pbwiki.com//?p=openid&o=f&janrain_nonce=2008-12-24T20%3A18%3A15Z7bd4p0&openid1_claimed_id=https%3A%2F%2Fhomepw.myopenid.com%2F&openid.assoc_handle=%7BHMAC-SHA1%7D%7B49496232%7D%7B3wxYag%3D%3D%7D&openid.identity=https%3A%2F%2Fhomepw.myopenid.com%2F&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.myopenid.com%2Fserver&openid.response_nonce=2008-12-24T20%3A20%3A22Zng6R5h&openid.return_to=http%3A%2F%2Fmy.pbwiki.com%2F%2F%3Fp%3Dopenid%26o%3Df%26janrain_nonce%3D2008-12-24T20%253A18%253A15Z7bd4p0%26openid1_claimed_id%3Dhttps%253A%252F%252Fhomepw.myopenid.com%252F&openid.sig=G31sZRRUGcnvO9UitvBiQEjwF9A%3D&openid.signed=assoc_handle%2Cidentity%2Cmode%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Csigned%2Csreg.email%2Csreg.fullname%2Csreg.nickname&openid.sreg.email=home_pw%40msn.com&openid.sreg.fullname=Peter+Williams&openid.sreg.nickname=peter 
>  so evidently the perceived claim being verified by the SP is https://homepw 
>  not http://homepw. Is this an OP UI issue?
>
> 8.       The XRDS at http://my.pbwiki.com/xrds.php makes namespace  
> assertions for its https cousin. Once the openid SP is properly  
> virtualized, the wiki.openid.net realm will need to be published at https://wiki.openid.net/ 
> ... , obviously.
>
> HTTP/1.0 200 OK
> Date: Wed, 24 Dec 2008 20:37:27 GMT
> Server: Apache
> Connection: close
> Content-Type: application/xrds+xml
>
> <?xml version="1.0" encoding="UTF-8"?>
> <xrds:XRDS
>     xmlns:xrds="xri://$xrds"
>     xmlns:openid="http://openid.net/xmlns/1.0"
>     xmlns="xri://$xrd*($v*2.0)">
>   <XRD>
>     <Service priority="0">
>       <Type>http://specs.openid.net/auth/2.0/return_to</Type>
>       <URI>https://my.pbwiki.com//?p=openid</URI>
>     </Service>
>   </XRD>
> </xrds:XRDS>
>
>
>
> (*)it works quite predictably after a first failure if one tries a  
> second time, but only if one uses the back menu to go to the “typein  
> url” screen at my.pbwiki.com. Going back one screen to their post- 
> handler just repeats the protocol violation. Somehow the race is  
> sorted out, the second time around. (On refresh the second time, the  
> graphic that causes the race in IE does not seem to render. HINT.)
>
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081228/09ddd3f6/attachment-0002.htm>

More information about the general mailing list